ZenGround0
commented
5 years ago If we do (1) ... -> VDF -> VDF -> VDF -> ... and we sample randomness from these values for leader election, then an attacker who breaks the VDF (speeds it way up) can predict the future indefinitely (bad). If we mix (2) VDF -> VRF -> VDF -> VRF, an attacker that breaks the VDF will not know the future indefinitely (still bad but less bad).
The advantage of (1) is we get a global lottery (prevents grinding) with no look back parameter. This means that the leader election lottery has "no predictability" (if no variance in VDF evaluation time). With (2) we can get a semi-global lottery only using a lookback parameter and that opens up local predictability issues, because we can know our leader election wins in the near future.
Claim: The cost of the lbp (the guaranteed local predictability) is less than the cost of opening up the indefinite local predictability of an attacker who breaks the potentially breaks the VDF.
Key takeaways from FIL Research week in Dec (to be made legible soon). cc @ZenGround0